华为VPN技术

LKAI.2024-11-20 23:08

1. 启动设备

2. 配置IP地址

FW1\]int g1/0/0 \[FW1-GigabitEthernet1/0/0\]ip add 192.168.1.254 24 \[FW1-GigabitEthernet1/0/0\]int g1/0/1 \[FW1-GigabitEthernet1/0/1\]ip add 100.1.1.1 24 \[FW1-GigabitEthernet1/0/1\]service-manage ping permit \[FW2\]int g1/0/0 \[FW2-GigabitEthernet1/0/0\]ip add 192.168.2.254 24 \[FW2-GigabitEthernet1/0/0\]int g1/0/1 \[FW2-GigabitEthernet1/0/1\]ip add 200.1.1.2 24 \[FW2-GigabitEthernet1/0/1\]service-manage ping permit \[AR1\]int g0/0/0 \[AR1-GigabitEthernet0/0/0\]ip add 100.1.1.2 24 \[AR1-GigabitEthernet0/0/0\]int g0/0/1 \[AR1-GigabitEthernet0/0/1\]ip add 200.1.1.1 24 **3.** **配置Tunnel接口** \[FW1\]int Tunnel 0 \[FW1-Tunnel0\]ip add 172.16.1.1 24 \[FW1-Tunnel0\]tunnel-protocol gre \[FW1-Tunnel0\]source 100.1.1.1 \[FW1-Tunnel0\]destination 200.1.1.2 \[FW2\]int Tunnel 0 \[FW2-Tunnel0\]ip add 172.16.1.2 24 \[FW2-Tunnel0\]tunnel-protocol gre \[FW2-Tunnel0\]source 200.1.1.2 \[FW2-Tunnel0\]destination 100.1.1.1 **4.** **将防火墙接口加入指定区域** \[FW1\]firewall zone trust \[FW1-zone-trust\]add int g1/0/0 \[FW1-zone-trust\]q \[FW1\]firewall zone untrust \[FW1-zone-untrust\]add int g1/0/1 \[FW1-zone-untrust\]add int Tunnel 0 \[FW2\]firewall zone trust \[FW2-zone-trust\]add int g1/0/0 \[FW2-zone-trust\]q \[FW2\]firewall zone untrust \[FW2-zone-untrust\]add int g1/0/1 \[FW2-zone-untrust\]add int Tunnel 0 **5.** **配置OSPF** \[FW1\]ospf 1 \[FW1-ospf-1\]area 0 \[FW1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1\]ospf 1 \[AR1-ospf-1\]area 0 \[AR1-ospf-1-area-0.0.0.0\]network 100.1.1.0 0.0.0.255 \[AR1-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 \[FW2\]ospf 1 \[FW2-ospf-1\]area 0 \[FW2-ospf-1-area-0.0.0.0\]network 200.1.1.0 0.0.0.255 **6.** **配置路由条目** \[FW1\]ip route-static 192.168.2.0 24 Tunnel 0 \[FW2\]ip route-static 192.168.1.0 24 Tunnel 0 **7.** **配置防火墙策略** \[FW1\]security-policy \[FW1-policy-security\]rule name local-untrust \[FW1-policy-security-rule-local-untrust\]source-zone local \[FW1-policy-security-rule-local-untrust\]destination-zone untrust \[FW1-policy-security-rule-local-untrust\]source-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]destination-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-local-untrust\]action permit \[FW1-policy-security-rule-local-untrust\]q \[FW1-policy-security\]rule name untrust-local \[FW1-policy-security-rule-untrust-local\]source-zone untrust \[FW1-policy-security-rule-untrust-local\]destination-zone local \[FW1-policy-security-rule-untrust-local\]source-address 200.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]destination-address 100.1.1.0 0.0.0.255 \[FW1-policy-security-rule-untrust-local\]action permit \[FW1-policy-security-rule-untrust-local\]q \[FW1-policy-security\]rule name trust-untrust \[FW1-policy-security-rule-trust-untrust\]source-zone trust \[FW1-policy-security-rule-trust-untrust\]destination-zone untrust \[FW1-policy-security-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-security-rule-trust-untrust\]action permit \[FW1-policy-security-rule-trust-untrust\]q \[FW1-policy-security\]rule name untrust-trust \[FW1-policy-security-rule-untrust-trust\]source-zone untrust \[FW1-policy-security-rule-untrust-trust\]destination-zone trust \[FW1-policy-security-rule-untrust-trust\]action permit \[FW2\]security-policy \[FW2-policy-security\]rule name untrust-local \[FW2-policy-security-rule-untrust-local\]source-zone untrust \[FW2-policy-security-rule-untrust-local\]destination-zone local \[FW2-policy-security-rule-untrust-local\]action permit \[FW2-policy-security-rule-untrust-local\]q \[FW2-policy-security\]rule name local-untrust \[FW2-policy-security-rule-local-untrust\]source-zone local \[FW2-policy-security-rule-local-untrust\]destination-zone untrust \[FW2-policy-security-rule-local-untrust\]action permit \[FW2-policy-security-rule-local-untrust\]q \[FW2-policy-security\]rule name trust-untrust \[FW2-policy-security-rule-trust-untrust\]source-zone trust \[FW2-policy-security-rule-trust-untrust\]destination-zone untrust \[FW2-policy-security-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-security-rule-trust-untrust\]action permit \[FW2-policy-security-rule-trust-untrust\]q \[FW2-policy-security\]rule name untrust-trust \[FW2-policy-security-rule-untrust-trust\]source-zone untrust \[FW2-policy-security-rule-untrust-trust\]destination-zone trust \[FW2-policy-security-rule-untrust-trust\]source-address 192.168.1.0 0.0.0.255 \[FW2-policy-security-rule-untrust-trust\]action permit **8.** **配置NAT策略** \[FW1\]nat-policy \[FW1-policy-nat\]rule name trust-untrust \[FW1-policy-nat-rule-trust-untrust\]source-zone trust \[FW1-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW1-policy-nat-rule-trust-untrust\]source-address 192.168.1.0 0.0.0.255 \[FW1-policy-nat-rule-trust-untrust\]action source-nat easy-ip \[FW2\]nat-policy \[FW2-policy-nat\]rule name trust-untrust \[FW2-policy-nat-rule-trust-untrust\]source-zone trust \[FW2-policy-nat-rule-trust-untrust\]destination-zone untrust \[FW2-policy-nat-rule-trust-untrust\]source-address 192.168.2.0 0.0.0.255 \[FW2-policy-nat-rule-trust-untrust\]action source-nat easy-ip **验证：** **1.pc2ping** **通pc1** ![](https://i-blog.csdnimg.cn/direct/a732c73bc621449690661d69fffe9810.png) **2.** **查看FW2防火墙会话表（看GRE协议的数据包走向）** ![](https://i-blog.csdnimg.cn/direct/cfd17827e61a47968bcf9fdb0043c93a.png) **3.** **查看NAT地址转换（pc2ping100.1.1.1时，查看防火墙会话表，可以看到私网地址转换成200.1.1.2后访问100.1.1.1）** ![](https://i-blog.csdnimg.cn/direct/98bd075ad39c4a01834d152e183ac23a.png) **4.** **抓FW2G1/0/1端口的包查看（GRE的端口是47）** ![](https://i-blog.csdnimg.cn/direct/324da126ab134f369df65e5ecfb4c322.png)

上一篇：Redis ZSet 类型深度解析：底层数据结构与应用场景

下一篇：【话题】抓住鸿蒙生态崛起的机遇：挑战与对策

热门推荐

01GitHub 镜像站点 02Claude Code + GLM4.7 避坑指南：解决 Unable to connect to Anthropic services 03openclaw配置教程（linux+局域网ollama）04UV安装并设置国内源 05Linux下V2Ray安装配置指南 06AI 规范驱动开发“三剑客”深度对比：Spec-Kit、Kiro 与 OpenSpec 实战指南 07openclaw使用nginx反代部署过程与disconnected (1008): pairing required解决 08Claude Code Skills 实用使用手册 09在Trae中使用Pencil MCP 10Vue-skills的中文文档